Flaws in the U.S. Vulnerabilities Equities Process
Last week, the security community was in a flurry around the disclosure of a severe vulnerability (known as CVE-2020-0601) in Microsoft’s Windows operating system. Notably, it was because the National Security Agency (NSA) tipped off Microsoft, helping the tech giant patch the flaw instead of exploiting it for national security missions. NSA was praised for its cultural shift from offense to defense, however, in my opinion, not all that glitters is gold.
This event has brought much needed attention to the Vulnerabilities Equities Process (VEP)—the manner by which the U.S. government determines whether to withhold or disclose zero-day vulnerabilities. The inherent struggle between competing offensive and defensive interests makes the VEP incredibly difficult to implement.
Want more insight? Log in for the full report
This content is restricted to OODA Network members only. Members get access to all site content plus access to exclusive reports and events. Please consider becoming a member. For more information please click here. Thanks!
Already a member? Sign in to your account.